Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

10.
My Red Team Core Principals
○ Adversary simulation, not emulation.
○ Goal is specific data, trophy systems, or apps. Not DA
(unless DA a trophy, which it shouldn’t be).
○ Emphasize stealth over speed.
○ Active defense should be encouraged, to a point. Goal isn’t
to “win” (either red or blue).
○ Scope should be as open as possible, including physical.
○ There should always be a “tip your hand” moment.

17.
Domains
1. Determine the sensitive trafﬁc that must not be decrypted: Best practice
dictates that you decrypt all trafﬁc except that in sensitive categories, such as
Health, Finance, Government, Military and Shopping.
https://blog.paloaltonetworks.com/2018/11/best-practices-enabling-ssl-decryption/
Palo Alto SSL Decryption Best Practices

27.
Core Principals: SE
○ Phishing:
○ 5 addresses max at a time, all bcc’d, with 15 mins between
sends. Send from O365.
○ Links, not attachments.
○ Never a worry from Proofpoint.
○ Lead off with your latest tradecraft and downgrade as you get a
feel for the environment. Don’t abuse your TTPs.
○ Eventually pivot to assumed breach (about 50% way through)

28.
Infr. Automation with Ansible
○ Ansible is an open source platform that automates software
provisioning, config mgmt & app deployement
○ It uses YAML files (.yml) to express gruops of commands
called tasks.
○ All tasks are executed on a target server using SSH +
Python. No agents required!
○ Modules make up the bulk of functionality, allowing a
variety of tasks like copying files, service management, etc

60.
Core Principals: Communication/Reporting
○ Status Updates: Use “selective caution” when sharing.
○ Full walkthrough/narrative must be included in the report!
○ Findings: Less in number, better in quality. No SSL v2 nonsense
unless you actually did something with it.
○ Consultants: Offer multiple follow up calls with defense team. These
are *the best*.